Target Card Breaches Open New Front in Old Battle With Bankers

Bankers and retailers are resuming their fight over responsibility for losses from cybertheft as Congress weighs responses to a security breach at Target Corp. that exposed data from tens of millions of accounts.

The two sides, antagonists in other disputes over card payments, have already drawn up lines of attack for a series of hearings in Congress that begin this week. Bankers want retailers to cover more of the cost of breaches. Retailers say bankers need to adopt more-secure card technology. Lawmakers must decide whether to act to require tighter security or swifter disclosures.

"This pits powerful banks against powerful merchants," said Jaret Seiberg, a policy analyst at Guggenheim Securities LLC's Washington Research Group. "Everyone will have a headache, there will be so much noise, but in the end, I doubt Congress is going to intervene."

At stake is about $40 billion of revenue earned by card issuers including JPMorgan Chase & Co., as well as the profits of Target and other retailers affected by the breaches. More than $3 trillion in U.S. customer transactions take place each year through the point-of-sale systems infiltrated by the hackers, according to David Robertson, publisher of the Nilson Report, an industry newsletter based in Carpinteria, Calif.

'Gravest risk'

"The threats posed by cybersecurity attacks represent some of the gravest risk to our industry, the financial services industry, as well as the economy more broadly," said Tim Pawlenty, president of the Financial Services Roundtable, which represents large banks and payment networks. "The laws people take to these issues need to be updated."

Names as well as home and email addresses for as many as 70 million Target customers were taken, the Minneapolis-based company said in a Jan. 10 statement. Target previously said credit- and debit-card data of 40 million accounts were stolen. It's likely that the two groups overlap, though it's unclear to what extent, Molly Snyder, a spokeswoman, said in an interview.

Proposals before Congress include setting national standards for database security and notifying customers when breaches occur. Sens. Tom Carper, D-Del., and Patrick Leahy, a D-Vt., have reintroduced previous data security bills. Senate Commerce Chairman Jay Rockefeller, a West Virginia Democrat, offered a new measure on Thursday for customer notifications.

Swipe fees

U.S. merchants typically pay fees totaling about 2 percent of the purchase price for credit card transactions. These so-called swipe fees, also known as interchange, help card-issuing banks such as JPMorgan and Bank of America Corp. fund rewards programs and cover fraud costs.

Lenders and retailers have sparred for years over swipe fees, which merchants have said are too high. In 2011, retailers won one round when lawmakers authorized a cap on fees for debit card transactions, which has reduced banks' annual debit-interchange revenue by 50 percent to about $8 billion.

Now they are fighting over who should bear the costs of repairing the damage and adopting more secure technology.

"It's clear that banks are already absorbing at least two-thirds of the cost, if not more, in order to protect their customers for a breach they had nothing to do with," said Ken Clayton, executive vice president of legislative affairs and chief counsel for the American Bankers Association. "They are rightfully upset about that."

American Express Co., Visa Inc. and MasterCard Inc. have given most U.S. merchants and issuers until October 2015 to adopt a technology known as EMV or assume liability for counterfeit card transactions. EMV — named for founders EuroPay International, MasterCard and Visa — has become a standard in Europe and much of the rest of the world. They are also pushing retailers to use a process known as "tokenization," where sensitive account information is replaced with proxy data known as a digital "token."

Obsolete technology

For their part, retailers and consumer advocates accuse banks of clinging to obsolete magnetic-stripe technology that has put merchants and their shoppers at risk.

"I need to hear from the banks that it's not only the retailers' fault; the retailers are forced to use obsolete technology," said Edmund Mierzwinski, consumer program director for the U.S. Public Interest Research Group, which supports the retailers. "I want to see some piety or some apology from the banks that it's partly their fault."

Retailers and bankers end up paying roughly equal amounts in the wake of data breaches, "and even that is problematic," said Mallory Duncan, general counsel to the National Retail Federation. "This fraud is being caused by the cards they issue: They are issuing fraud-prone cards." Members of his Washington-based trade group include Saks Inc. and the Container Store Group Inc.